Apple maintains tight control over its iOS software and hardware. There is no file system per se to which users have direct access, applications cannot easily communicate or collaborate with each other, you can only get apps from the App Store and so on.

Apple has done this to ensure a high level of quality and uniform usability for its customers. The company also wants to maximize its iOS revenues by making sure that only apps it approves and hosts on the App Store can be downloaded and installed. As a side benefit to customers, all of these controls make the iOS a very secure mobile platform and a favorite in corporate environments.

For the most part, the iOS user community accepts this state of affairs. However, many other owners of iPhones and iPads have gotten tired of the stringent controls Apple places on their devices, limiting them from fully utilizing all iOS capabilities. Many users have decided to jailbreak their devices in order to unlock more of the features that iOS has to offer.

What is Jailbreaking?

Jailbreaking refers to the process whereby you can remove the controls and restrictions Apples has placed in iOS and you can use your device more like an Android, which does not have iOS style controls, or a personal computer.

Whether jailbreaking is something you do to your iPhone depends on what you want to accomplish, and whether you are willing and able to accept the risks.

iOS Security Architecture Overview

At this year’s RSA Security Conference 2012, I attended a lecture session on iOS Security Fundamentals given by security threat researchers Dino Dai Zovi and Charlie Miller. The information in this section is a summary of the points they presented.

Jailbreaking an iOS device is a challenging obstacle course that requires considerable hacking skill and effort to conquer. It involves applying multiple exploits to poke holes through the several layers of security built into the operating system. Specifically, the iOS architecture includes these security elements:

• Reduced attack surface. There are fewer apps to attack in iOS and consequently fewer bugs to exploit. Flash and Java are frequent attack targets on other operating systems but do not run on iOS. Many file types either cannot be rendered or are only supported to a limited degree. Not all features of PDF files, for example, are supported. There is no terminal shell (/bin/sh) nor the binaries that you can run in shells, like “ls”, “rm”, “cp”, “mv”, etc. That means you cannot run shell code exploits.
• Privilege separation. Most iOS processes run in a limited user privilege mode. You don’t get direct “root” access, which on other operating systems lets you do anything you want to your computer.
• Code signing. All executable and applications must carry signatures certified by Apple. Signatures are validated whenever any executable or application is run on iOS. This is why you only can get apps from the App Store. Code signing makes it nearly impossible for attackers to upload and run remote apps on your iPhone.
• Non-executable memory. Buffer overflow is a hacking technique where an attacker injects malicious code into areas of memory allocated to store data that are outside the memory boundaries of a given application. Once there, this code can be executed beyond your control to damage files or steal data from your system. By contrast, iOS does not allow code to be executed from memory marked for data storage. In other words, data written to memory by an application cannot be executed.
• Address space layout randomization. Operating systems that load code and data into fixed, predetermined memory locations are more susceptible to buffer overflow since attackers know in advance where code and data will reside in memory. iOS puts code and data in random memory locations so attackers must guess where their code will run. Wrong guesses can cause the malicious code to crash, which is usually an irrecoverable situation.
• Sandboxing. Applications obtained from the App Store run in a restrictive sandbox that limits access to iOS system resources. Apps that are installed with iOS, like Safari, also run in a sandbox, but one that is less restrictive than the purchased application sandbox. These apps can open your address book, photos, movies, and so forth, but are prevented from other potentially damaging activities like sending SMS messages.

Benefits of Jailbreaking

After reading the list of security protections offered by iOS, you might wonder why anyone would want to jailbreak their iPhone or iPad. There are, however, practical benefits to jailbreaking.

When you use your iPhone internationally, you are subject to roaming charges. For Internet access you can always use free Wi-Fi hotspots to hold down roaming charges, but free Wi-Fi is not as common in countries outside the US. You can unlock a jailbroken iPhone, allowing you to replace your original SIM with an inexpensive pay-as-you-go SIM that you purchase in the country you are visiting.

For an extra monthly charge, you can tether your iPhone to your notebook computer to give the latter Internet access in areas where there is either limited or expensive Wi-Fi. Alternatively, there are several apps that run on jailbroken iPhones that give you this same access for free.

Without jailbreaking, you have to use AT&T or Verizon – assuming you are located in the US – as your carrier for your iPhone. But jailbreaking and unlocking your iPhone lets you use any 3G or 4G carrier.

Risks with Jailbreaking

The security risks of jailbreaking are huge. You give up all the considerable security protection the iOS normally provides. This leaves your iPhone or iPad more vulnerable to attack.

When you jailbreak your iOS device, you are never completely sure what the jailbreaking code is doing. For all you know, the code could be installing other malicious binaries. Don’t forget that by definition and practice the process of jailbreaking involves exploiting your iPhone in the first place.

If something goes wrong during the jailbreaking process, you automatically void your warranty with Apple. Don’t bother taking your hopelessly dorked up iPhone to Apple service, they will turn you away on the spot. That said, all you have to do to restore your iOS device to factory settings is connect to the computer that you use to back up iOS and go through a restore operation.

When it comes to updating your iOS software, you are kind of stuck. The act of updating will undo your jailbreak and you may have to wait for a while before a jailbreak for your new iOS version is released. You may have to forego iOS updating if you prefer using your iPhone in a jailbroken state.

So far Apple has not created any updates that intentionally damage jailbroken iOS devices. At the same time, since the company does not condone nor support the practice, it is unlikely they will give much consideration to the effect any given update has on these devices.

Is Jaibreaking for You?

Jailbreaking unlocks some interesting capabilities in iOS devices for users adventurous enough to try it. However, in my opinion, the security risks and inconvenience of jailbreaking outweigh the benefits. I haven’t jailbroken my own iPad nor am I likely to in the near future.

If you bring your iOS device into work you should check to see if your company has a policy prohibiting jailbroken devices from connecting to the company network. If your company has such a policy you will have to forgo jailbreaking or restore the original iOS software on your device to comply.

It’s wise to think twice before jailbreaking your iPhone or iPad.

Video series based on Trend Micro session* at the Mobile World Congress 2012.

What is consumerization?

It’s probably the most disruptive trend for IT for the next 10 years, and it means two things for corporate IT.

One, is that there is more and more consumer technology available that the enterprise can deploy with the internal customer base. There is mobile, but there are many other applications here that somehow have a space in the enterprise.

But probably, the second aspect, which is probably the more challenging for corporate IT, is the fact that this consumer technology is brought into the enterprise by the end users, which really represent a challenge, as we’ll see, because the IT process is not really designed to receive technology from outside. It’s designed to deploy technology internally.

Download Slide #1   *   Download Slide #2   *   Download Slide #3   *   Download Slide #4

COMING NEXT: The Consumerization University – Day 2: Consumerization is real

* Mobile Security Forum: “Consumer Mobile Technology in the Enterprise: A Leap of Faith?”

An increasing number of companies are opening corporate networks and data to consumer mobile devices, as employees demand to bring their own smartphones and tablets to work. However, consumer mobile technology is generally not as secure and manageable as required by the enterprise. And too many companies make the mistake of trying to stop the influx of consumer IT. What new mobile platforms will your organization contend with? What built-in security models do they provide? What vulnerabilities are they exposed to? How rigorous is the scrutiny of the official application markets? Is the corporate data stored in these devices safe? In this series, leading mobile security experts answer these questions and, more importantly, reveal solutions and best practices for your company to safely embrace consumer mobile technology in the enterprise.

I believe that most security risks in BYOD come from ‘non-malicious incompetence’ on the part of employees. It’s vital to educate them about how easily security can be compromised.  Sharing these four preventive measures can incent employees to help protect corporate data, as well as their own personal information.

1.     Control Access to Your Phone

This is the simplest front line of defense.  While people don’t deliberately forget their phone in a public restroom, gym, or restaurant, we all know it happens. So, make sure you have the appropriate device lock in place, either a pin code, or screen pattern lock. If you have a pattern lock (this is where you join the dots to unlock your phone) make sure you wipe the screen to avoid leaving smudges that can reveal your pattern.

A number of social engineering attacks focus on getting physical access to your device either to install a malicious app or to read your data. If your phone has a removable SD memory card that is not encrypted, an attacker could remove it and read its data. Encrypting memory card data is important, either by using the capability of the device or using a third party encryption solution.

The company security policy requires this type of basic protection when you use your smartphone for work purposes.

2.     Be Wise About Downloading Applications

There is great risk in downloading applications, more so if apps are “side loaded” or otherwise loaded from unapproved or unofficial marketplaces.

When you agree to download an app you will need to accept a list of permissions that grant capabilities to the application. For example an app may need to access your location data or your camera. Rogue apps, in the form of Trojans, may take advantage of these new permissions and you may unknowingly allow the application to access your camera, or your personal or corporate data without realizing it.

In addition, such malware applications can embed functions that allow your phone to make premium rate calls while you are playing a game, for example. You won’t know this until you receive a whopping bill at the end of the month and by then its too late.

The company’s BYOD policy outlines the type of personal applications that are acceptable and safe on your phone, and also specifies approved sources of applications.

3.     Think Before you Respond to Certain E-mail Messages

In our hectic lives, the ability to access email while we’re on a train, or in the supermarket, is wonderfully convenient.  We tend to multitask and zip through email. Remember that the small screen of a smartphone makes it more difficult to detect possible phishing emails. Your bank’s email may look legitimate, but if you don’t have time to check it carefully, don’t respond or click on any links.  It’s much safer to wait until you can read it carefully.

4.     Understand and Accept the Benefits of Mobile Device Management Software

The best way to protect your BYOD smartphone is through corporate-installed mobile device management software.  This can protect your device in a number of ways. For example it can detect if your phone’s SIM card has been changed, back up your data automatically, remotely wipe a lost phone, help recover a lost phone by using its GPS location or even command the phone to emit a really high pitched alarm to scare off a thief.

Research In Motion and Apple: two firms with more contrasting current fortunes you could not wish to imagine. The once high-flying Canadian BlackBerry-maker, for so long the darling of IT managers and beloved of time-starved execs the world over, has lost its way as rivals from the consumer space start to eat into its core enterprise business. Then there’s the phenomenon that is Apple, the Cupertino giant molded into the slick, stylish consumer success story it is today by the late Steve Jobs. You’re probably as likely in many organizations to see staff using an iPhone for work as a BlackBerry today, which makes two recent announcements from the tech giants all the more interesting for what they say about the firms’ respective strategies and what it all means for IT managers caught in the middle.

Let’s take Apple first. A company whose primary aim is to make beautiful products at high margins, it was 100 per cent focused on the consumer when its iOS-based iPhone burst onto the scene back in 2007. Since then, the Cupertino firm has released several more models, as well as market leading tablet the iPad and slowly appears to be rolling more enterprise-friendly features¹ into the platform.

Take, for example, volume purchases for businesses via the App Store – recently added capabilities designed to streamline the large-scale buying of applications for corporate users. Or how about the iPhone in Business and the iPad in Business web sites? Both are designed to attract the business user and showcase features which could appeal to those looking for a new corporate device. The latest much-touted announcement was the launch of the iPad Configurator: a new Mac app which enables admins to configure up to 30 devices at a time according to corporate requirements – but not to manage them remotely.

Sounds great, but don’t let this slow creeping of iOS functionality into the enterprise fool you into thinking Apple has suddenly become a business-friendly company. Sure, it is providing more capabilities now in its devices to make them easier to use and manage in the corporate sphere, but it will always be a consumer-focused firm. It’s just that it has made its products so user-friendly that everyone who buys one now also wants to use it at work.

If you’re in any doubt as to Apple’s primary focus, consider the iPad Configurator. It enables management of only up to 30 devices – not practical for any but the smallest of organizations – and is primarily designed for the IT department which has purchased its devices and has yet to dole them out, rather than one faced with the problem of managing existing user-bought devices. Then let’s think about Apple the company. Does it have enterprise sales and support staff? An enterprise sales platform? Does it clearly communicate its product roadmap so large scale and long-term purchasing plans can be drawn up by its business customers? The answer to all of these questions is not really, although sources indicate that Apple may be acquiring some enterprise sales staff from a well-known corporate tech vendor.

Yet despite the lack of Apple’s business credentials², IT managers must evolve to meet the increasingly demanding needs of their users and the changing requirements of the role. Put simply, this means that they can no longer procure from a single enterprise vendor – they need to open up to multiple providers and be ready to accept and manage consumer devices. The good news is that there are vendors who can help fill the growing security and management holes that have appeared in this new mobile computing environment. One of them, perhaps surprisingly, is that old friend of the IT department, Research In Motion.

Now RIM has seen its business stall thanks in a large part to the success of the iPhone as well as the obvious challenge from Android. Recent Forrester research in fact place the three as having a roughly equal share of the workplace market. Unfortunately, instead of sticking to what it does best – providing  highly secure hardware and sophisticated management software – it tried to beat Google and Apple at their own game and entered the consumer space. The strategy hasn’t worked and the company lurches from one bad launch to another with profits and share price plummeting. However, it did something very smart in April – it launched an update to its BlackBerry Mobile Fusion server software which will allow admins to manage iOS and Android devices as well as BlackBerry.

Unlike Apple, which is resolutely homogenous – you won’t be able to use the iPad Configurator for any non-Apple device, for example – RIM has taken the bold step of admitting not everyone in the enterprise will use a BlackBerry. This is a genuine move in the right direction – not only is a focus on the software side of its business better for its margins but it also plays to the firm’s biggest strength, its market leading security and mobile device management capabilities.

It should also serve as a firm reminder to any IT managers still not sure how to respond to the disruptive force of consumerization³. 5If RIM can open itself up to interoperability with rival platforms, maybe they too should adopt a more open mindset when revising their corporate mobile device strategy.

The sands are rapidly shifting in enterprise IT but the quick witted IT professionals will understand that they are no longer a provider of technology for their company but a broker. It’s not for them to decide what mobile platforms to use but for their execs, line of business owners and end users to decide. IT’s new role is to engage as fully as possible with the requirements of the end users, find out where potential vulnerabilities⁴ lie and make it happen. Sadly for RIM, there’s no going back to the old days now, but nor should the future be feared.

If you have evidence that Apple is finally getting serious with the Enterprise, I’d love to hear from you.

If you have evidence that RIM is finally opening up to consumer technology, I’d love to hear from you.

Reference¹ How Secure is Your Smartphone? Android, iOS, BlackBerry and Windows Phone Under Attack http://bringyourownit.com/2012/04/04/safe-smartphone-android-ios-blackberry-windows-phone-attack/

Reference² Jailbreaking BYOD Control. Is Apple iOS ready for enterprise primetime? http://consumerization.trendmicro.com/consumerization-byod-jailbreak-apple-control-enterprise-primetime/

Reference³ Consumerization Talks with Ken Dulaney, VP Gartner Research. http://bringyourownit.com/2011/06/28/consumerization-talks-with-ken-dulaney-vp-gartner-research/

Reference⁴ BYOD Best Practices – Three pitfalls you can’t afford to ignore http://consumerization.trendmicro.com/byod-best-practices/

Regain control? Is that even possible? Yes! And there’s no better way than to talk to other IT managers to find out what they are doing about consumerization. What types of employee-owned mobile devices are they allowing on their corporate networks? And what are they doing to secure these devices? To get the answers you need, Trend Micro conducted an in-depth survey of IT administrators in the U.S., Japan, and Germany.  The survey report may surprise you.

Among companies that allow BYOD, 96% have at least one security measure in place to address consumerization—but that’s often not enough. The majority of respondents say a combination of mobile security and mobile device management (MDM) is most effective. The top three tools used to secure BYOD are security software, data loss prevention (DLP), and remote lock. Find out what other tools your peers recommend and learn about a full range of Trend Micro solutions—from endpoint and mobile security, DLP, and encryption to data center and cloud security.

Check back this summer for more survey reports from Forrester and Decisive Analytics.

What are you doing to help gain control?

In a previous post¹ I raised three pitfalls that your BYOD program cannot afford to ignore when allowing employees to use their personal devices for work:

• Remote deletion of personal data on an employee-owned device
• Tracking an individual’s location
• Monitoring an employee’s Internet access

Based on my involvement with various BYOD projects and my ongoing conversations with many industry experts, here is my recommendation for three best practices that will allow you to strike the delicate balance between employee privacy and corporate liability :

Have a Comprehensive, Clear Policy that explicitly covers these issues of data deletion, location tracking and Internet monitoring.

HR, Legal, and Communications should provide their expertise to create the actual document. This is not solely the IT department’s responsibility. It requires far more than a little box to check off, as you would when accepting a software user agreement. The details must be read, understood and signed off on. Employees must be trained.

To that point, the policy document must be in clear layperson language, and spell out all the bad things² that could happen to your device in a worst-case situation. For example: If my smartphone/tablet is stolen, the company will remotely wipe any sensitive corporate data from it.  I understand and accept that there is potential risk to my personal data.

The policy should cover possible confiscation of a personal device—if the company’s electronic communications and actual devices should be impounded during an E-Discovery legal case. Here, the company should state its position about replacing an employee’s personal device.

The company must be up-front in acknowledging that in exchange for using the corporate network, IT will have the ability to locate your device at any time.

Finally, with respect to monitoring Internet activity, the policy should be exceedingly clear:  Any data I access through the Internet when I am attached to the corporate network may be monitored and logged. The company has a responsibility not to divulge my personal information, unless there is criminal activity that the company would be obligated to report to authorities.

Do Not Assume That One Policy Size Fits All Users

Design your policy with the ability to tailor it for different groups of users and limit device control and user tracking to the minimum required by your company’s regulations.

There is no need to require an employee to accept the possibility of personal data wiping if s/he only uses the corporate network to browse the Internet.  On the other hand, an engineer needing access to the company’s Intellectual Property needs to accept a different level of privacy exposure.

Work with functional managers to help determine the degree of access you grant.

If you are dealing with a senior executive, your role may be to personally detail the potential exposures of sensitive corporate data.

Deploy the Right IT Infrastructure for Your Situation

The right IT infrastructure for Consumerization may include deploying different solutions to mitigate the pitfalls of employee privacy while securing corporate data.

Use as much virtualization as possible. VDI or other similar means to provide remote access to corporate applications from laptops and desktops is an approach I recommend where employee privacy is of concern.  No corporate data resides on the employee device, so there is nothing to wipe out.  Likewise, there is no need to track location, because everything is happening inside your data center. There’s also nothing to monitor in the device itself, because the virtual desktop activity is local to your corporate network.

Mobile Device Management is needed to secure smartphones and tablets where the virtual environment does not work well because of the small screens, or because the target mobile operating system doesn’t provide true VDI support yet – such as Apple iOS and Android.

Consider pseudo virtualized solution³ for Android devices.  These essentially split the ‘personality’ of the smartphone, which allows the user to have separate user identities by partitioning the personal and corporate sides.

In conclusion: Consumerization and BYOD are real⁴ and here to stay. Rather than resist it, organizations should embrace BYOD programs to unlock the business potential of Consumerization. This requires a strategic approach⁵, new flexible policies and appropriate security and management tools.

COMING NEXT: Educating Employees about Individual Privacy

Reference¹ Consumerization 101 – Employee Privacy Vs. Corporate Liability. http://consumerization.trendmicro.com/consumerization-101-employee-privacy-vs-corporate-liability/

Reference² The Dark Side of BYOD – Privacy, Personal Data Loss and Device Seizure. http://consumerization.trendmicro.com/consumerization-byod-privacy-personal-data-loss-and-device-seizure/

Reference³ MDM not the only avenue to BYOD security. But technology is simply not there yet. http://consumerization.trendmicro.com/mdm-not-the-only-avenue-to-byod-security-but-technology-is-simply-not-there-yet/

Reference⁴ Trend Micro Consumerization Report 2011. http://bringyourownit.com/category/the-consumerization-report/

Reference⁵ Consumerization Talks with Ken Dulaney, VP Gartner Research. http://bringyourownit.com/2011/06/28/consumerization-talks-with-ken-dulaney-vp-gartner-research/

“We’ll have to send it out to a service facility,” said the Apple Store rep. “What kind of turnaround time are we talking about”? I asked. “Probably no more than 5 days.” Immediately I began calculating. Let’s see, today is Wednesday, so three more work days. What do I have coming up? I need to give a presentation this evening on Internet safety to kids and their parents. Heading to New Jersey tomorrow morning for a meeting, but only need a way to take notes. I will definitely need to edit SharePoint data. And I’ve got to edit and finish that statement of work for a customer. Okay, could I really do everything I needed to do in my job using only an iPad?

So first things first: use Safari on the iPad to book the Amtrak reservation. Done. No challenge expected there. My presentation for the evening was already loaded into Keynote. Check. Video adapters for the iPad. Check. Using SafeSync, and the SafeSync app for the iPad, I have access to the folder of all the consulting services documents I work with every day. Check. Wait, not so fast. I can access the documents, and read them, but SafeSync doesn’t currently have an “Open with..” feature that will allow me to edit in the app of my choice. Need another option.

Chapter 1: Editing Office Docs

I’ve got a few Word docs that I need to edit, you remember, that statement of work? I’ve got Pages on the iPad, but it won’t handle all the formatting correctly. And since my laptop would be unavailable, none of my VNC apps would help. I decided to try a new service called OnLive Desktop. Essentially the company offers you a virtual Windows desktop preloaded with Microsoft Office apps. Perfect, I thought. I’ll just load the docs into that site and off I go. But wait, how can I get to the docs? This is when the first limitation of the iPad reared its head: even though Apple updated the software to allow you to sync without being tethered to a Mac, you still need to use iTunes or wifi to move documents into the apps with which you’d like to edit them (or use a service like DropBox). But even if I had put all the docs I needed to work on somewhere in “the cloud”, I still needed to edit them in Microsoft Word, plain and simple. So I “cheated” a little, but don’t worry, it won’t affect the “experiment” because I could have done this in preparation for being without the laptop.

I took my Time Machine drive, plugged it into my wife’s Mac, and copied the files I needed to her machine. Then I logged into my OnLive Desktop account and attempted to upload the files using Safari. No joy. In the middle of the upload I got an empty browser window and no further activity. Checking the OnLive site, the files were there but listed as 0KB and were indeed empty. Using live chat I talked to a support rep for OnLive who suggested I try with another browser. I fired up Firefox and made another attempt. This time I got a message saying the upload was completed successfully. But when I checked the site, the files were again empty. The support rep opened a case, and we hung up.

Just for kicks I decided to download Google Chrome to my wife’s laptop and try one more time. This time the upload went very quickly and Chrome showed me the files with their actual sizes, something neitherof the other browsers did. Could this be it? Aboard the Amtrak Acela I fired up the OnLive Desktop app, and attempted to log in. No love. Turns out Amtrak offers free wifi on board, but with restrictions. The OnLive service must count as a streaming service, which is blocked. When I got home, I fired up OnLive Desktop, and viola! The files were there. I am now working on a virtual desktop, editing the statement of work I needed to finish in Microsoft Word. Of course, the requirement is that I’m connected to the Internet. If I were not, then apps like QuickOffice HD might have worked, but I like the idea of having “the real thing” available to me.

Chapter 2: Calendar Invites – To accept or not to accept…

While on board the train, I received some meeting invites. Here’s another area for improvement in the iOS. Your choices for meeting invites in iCal are Accept, Maybe, and Decline. But none of the choices allow you to add comments. Many times I want to add comments to my selection, but I cannot. So usually I either wait until I’m back at my laptop to process the invite or I send back the response on my iGadget and follow it up with an email to the inviter explaining my response. Not ideal.

Chapter 3: SharePoint

My team keeps its data in SharePoint and accessing it requires being connected to the company VPN. Two apps do the trick: Junos Pulse for the VPN connection (also not allowed aboard Amtrak), and SharePlus Pro for SharePoint access and editing of data. So I can view, sort, edit, all good. Except I can’t upload a document to a record without that document already being attached to the app. And where do you do that? iTunes of course, on the laptop that is at the Apple Store Hospital getting new innards. There is another option, you can transfer files via WiFi, but you have to transfer them from your computer. Lesson learned. You really need to prepare by having all the documents you need or think you’ll need available to the apps in which you’ll be working with them. Many apps can access Dropbox. This one cannot so I’m out of luck. Another problem: I need to create a new iShare record for a customer and I need their ID out of our CRM, Siebel. Mobile Safari cannot be used to access Siebel, so I cannot accomplish this task either.

Are We There Yet?

Almost, and we’re getting closer every day. I could do most of what I needed to do solely with the iPad, some apps, and the Internet. But there is room for improvement for sure. Slowly and steadily Apple is untethering the iPad from the Mac, and I’m excited to see what new technologies will enable me and my colleagues to be more fully functional when we’re not “connected”.

Some smartphone apps could be covertly taking your business contacts to the cloud? We recently wrote about oblivious data loss and what seems to be the wild west of application development in this cloud security article.

“There are several security and privacy risks here, of course, not least the implications of BYOD smartphones in the enterprise with data hungry apps downloaded on them inadvertently exposing the confidential details of colleagues, clients and business partners.

At the moment apps don’t distinguish between groups when asking user permission to access the iOS address book, but even if they did, users may accidentally save a new business contact in their personal instead of corporate contacts group, and then allow an app access to the former, again resulting in oblivious data loss.”

Apple says that it will work to better protect iOS users from this kind of unknown data loss. However it is a reminder that data security cannot be assumed or trusted from any single point.

It’s the question every IT manager is asking. The short answer: there’s not a single consumer mobile operating system that offers all of the security and management capabilities that enterprises need—but they are getting better.

To get a complete picture of current mobile OS security holes and management challenges, I strongly recommend reading a timely new report developed specifically as a guide for IT managers. To conduct the analysis, industry analysts teamed up with Trend Micro’s CTO Raimund Genes and Cesare Garlati as well as other security experts.  Together they rated the top four platforms based on 60 security and management criteria.

Their in-depth report, Enterprise Readiness of Consumer Mobile Platforms, compares the most widely-used versions of BlackBerry OS, Apple iOS, Windows Phone, and Google Android. “The feature sets that IT managers should give high consideration to include: security certifications, device firewall, and support for virtualization, which are largely still missing.”

Read the full report to see how they rank. It also gives you a helpful guide for defining mobile roles and postures.

Do you think your mobile platform is ready for your organization?

As a result of the increase in consumer-grade sync and sharing solutions being used within business, a huge black hole has been created when it comes to protecting and controlling corporate data.

The enterprise can take a blanket view and block the access and synchronization of these solutions with gateway technology, or even completely lock down the PC so the sync agent cannot be installed. But, the problem here is these solutions deliver significant value to the user, and subsequently the business, so that zero-tolerance policy is not always the best option.

Consumerization is driven by simple technology that can be sexy, that the users want, which actually makes the life of the normal user better. Blocking or removing these solutions, while it improves security, will upset the staff and ultimately make them less productive and flexible. On top of this, many users will just find another way to do what they originally wanted and bypass corporate policy. This is the power of consumerization. Consumer-grade apps and devices will be used when there is a need that isn’t being met by Enterprise solutions.

So what is the answer? Enterprise-grade technology could be the answer, but herein lies another problem. Often it is Enterprise technology that actually creates the need for consumer-grade apps in the first place. Enterprise solutions tend to be overly complicated, and while the Enterprise admin can configure loads of policies and rules, the normal user experience is poor—so end users won’t use it. This creates two issues: 1) wasted money on enterprise investment, and 2) reduced employee productivity and flexibility.

The reality is that there are very few offerings out there that can offer the normal user the experience they get from consumer grade solutions, like Dropbox, but with the enterprise controls that keep the IT and security group happy, and most importantly the user engaged, productive and agile.

Now here comes the shameless plug….. Trend Micro SafeSync for Business has been designed with both parties in mind: the user and the IT admin. It enables the business to give a secure and manageable way of allowing users to access, sync and share their files from any device, anywhere, combined with a user experience that end users can really appreciate.

Check it out and see for yourself, and let us know what you think. We want to hear from you. www.trendmicro.com/safesyncforbusiness.

James Walker
Snr. Global Product Marketing Manager